Ich habe das jetzt mal gemacht und dabei festgestellt, dass die ACL korrekt greift. Zumindest beim ersten Überfliegen verstehe ich nicht, wo das Problem ist.
Meine komplette ACL:
Code: Alles auswählen
backend_deleteBase : sys_group(opsiadmin)
backend_.* : all
hostControl.showPopup : sys_group(opsiadmin); opsi_depotserver; opsi_client
hostControl.* : sys_group(opsiadmin); opsi_depotserver
host_get.* : sys_group(opsiadmin); opsi_depotserver; self; opsi_client(attributes(!opsiHostKey,!description,!lastSeen,!notes,!hardwareAddress,!inventoryNumber))
auditSoftware_delete.* : sys_group(opsiadmin); opsi_depotserver
auditSoftware_.* : sys_group(opsiadmin); opsi_depotserver; opsi_client
auditHardware_delete.* : sys_group(opsiadmin); opsi_depotserver
auditHardware_.* : sys_group(opsiadmin); opsi_depotserver; opsi_client
.*_get.* : sys_group(opsiadmin); opsi_depotserver; opsi_client
.* : sys_group(opsiadmin); opsi_depotserver; self
Die letzten Zeilen des Logs, in dem u.a. die ACL-Abfrage drin ist:
Code: Alles auswählen
[7] [May 09 18:40:39] Sending deflated data (backwards compatible - with content-encoding 'deflate') (Worker.py|637)
[7] [May 09 18:40:39] <opsiconfd.workers.WorkerOpsiconfdJsonRpc instance at 0x7f17a211a4d0>._setCookie (Worker.py|434)
[7] [May 09 18:40:39] Freeing session <OpsiconfdSession(<opsiconfd.session.OpsiconfdSessionHandler object at 0x7f17a23c5b90>, name=u'OPSISID', sessionMaxInactiveInterval=120> (Worker.py|318)
[7] [May 09 18:40:39] Now using log-file '/var/log/opsi/opsiconfd/172.16.35.94.log' for object 0x7f17a16cbdd0 (Logger.py|489)
[6] [May 09 18:40:39] Worker <opsiconfd.workers.WorkerOpsiconfdJsonRpc instance at 0x7f17a16cbdd0> started processing (Worker.py|250)
[6] [May 09 18:40:39] Reusing session for client '172.16.35.94', application 'opsi linux bootimage 20180208' (Worker.py|396)
[7] [May 09 18:40:39] Expecting deflate compressed data from client (workers.py|486)
[7] [May 09 18:40:39] Now using log-file '/var/log/opsi/opsiconfd/172.16.35.94.log' for object 0x7f17a21272d0 (Logger.py|489)
[5] [May 09 18:40:39] -----> Executing: getClientIds_list(None, [], None, None, None, None, None, None, None) (JsonRpc.py|128)
[7] [May 09 18:40:39] ExtendedBackend <BackendManager()>: executing 'getClientIds_list' on backend <BackendExtender()> (Backend.py|508)
[7] [May 09 18:40:39] ExtendedBackend <BackendExtender()>: executing 'configState_getClientToDepotserver' on backend <OPSI.Backend.BackendManager.BackendAccessControl object at 0x7f17a16f4990> (Backend.py|508)
[7] [May 09 18:40:39] Access control for method 'configState_getClientToDepotserver' with params {'clientIds': [], 'masterOnly': True, 'productIds': [], 'depotIds': []} (BackendManager.py|820)
[8] [May 09 18:40:39] Testing if ACL pattern u'backend_deleteBase' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'backend_.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'hostControl.showPopup' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'hostControl.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'host_get.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditSoftware_delete.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditSoftware_.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditHardware_delete.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'auditHardware_.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[8] [May 09 18:40:39] No match -> skipping. (BackendManager.py|824)
[8] [May 09 18:40:39] Testing if ACL pattern u'.*_get.*' matches method 'configState_getClientToDepotserver' (BackendManager.py|822)
[7] [May 09 18:40:39] Found matching acl for method 'configState_getClientToDepotserver': [{'denyAttributes': [], 'type': u'sys_group', 'ids': [u'opsiadmin'], 'allowAttributes': []}, {'denyAttributes': [], 'type': u'opsi_depotserver', 'ids': [], 'allowAttributes': []}, {'denyAttributes': [], 'type': u'opsi_client', 'ids': [], 'allowAttributes': []}] (BackendManager.py|827)
[7] [May 09 18:40:39] Method 'configState_getClientToDepotserver' using acls: [] (BackendManager.py|862)
[6] [May 09 18:40:39] Traceback: (Logger.py|798)
[6] [May 09 18:40:39] File "/usr/lib/python2.7/dist-packages/OPSI/Service/JsonRpc.py", line 134, in execute
self.result = eval("instance.%s(*params)" % self.getMethodName())
(Logger.py|798)
[6] [May 09 18:40:39] File "<string>", line 1, in <module>
(Logger.py|798)
[6] [May 09 18:40:39] File "<string>", line 1, in getClientIds_list
(Logger.py|798)
[6] [May 09 18:40:39] File "/usr/lib/python2.7/dist-packages/OPSI/Backend/Backend.py", line 510, in _executeMethod
return meth(**kwargs)
(Logger.py|798)
[6] [May 09 18:40:39] File "/etc/opsi/backendManager/extend.d/20_legacy.conf", line 615, in getClientIds_list
return [client['hostId'] for client in self.getClients_listOfHashes(serverId, depotIds, groupId, productId, installationStatus, actionRequest, productVersion, packageVersion, hwFilter)]
(Logger.py|798)
[6] [May 09 18:40:39] File "/etc/opsi/backendManager/extend.d/20_legacy.conf", line 511, in getClients_listOfHashes
clientToDepotservers = self.configState_getClientToDepotserver(depotIds=forceHostIdList(depotIds))
(Logger.py|798)
[6] [May 09 18:40:39] File "<string>", line 1, in configState_getClientToDepotserver
(Logger.py|798)
[6] [May 09 18:40:39] File "/usr/lib/python2.7/dist-packages/OPSI/Backend/Backend.py", line 510, in _executeMethod
return meth(**kwargs)
(Logger.py|798)
[6] [May 09 18:40:39] File "<string>", line 1, in configState_getClientToDepotserver
(Logger.py|798)
[6] [May 09 18:40:39] File "/usr/lib/python2.7/dist-packages/OPSI/Backend/BackendManager.py", line 867, in _executeMethodProtected
raise BackendPermissionDeniedError(u"Access to method '%s' denied for user '%s'" % (methodName, self._username))
(Logger.py|798)
[6] [May 09 18:40:39] ==>>> Backend permission denied error: Access to method 'configState_getClientToDepotserver' denied for user 'Benutzername' (JsonRpc.py|139)
[3] [May 09 18:40:39] Execution error: Backend permission denied error: Access to method 'configState_getClientToDepotserver' denied for user 'Benutzername' (JsonRpc.py|140)
[4] [May 09 18:40:39] Failed RPC on u'getClientIds_list' with params [None, [], None, None, None, None, None, None, None]: <BackendPermissionDeniedError(u"Access to method 'configState_getClientToDepotserver' denied for user 'Benutzername'")> (statistics.py|426)
[7] [May 09 18:40:39] Sending deflated data (backwards compatible - with content-encoding 'deflate') (Worker.py|637)
[7] [May 09 18:40:39] <opsiconfd.workers.WorkerOpsiconfdJsonRpc instance at 0x7f17a16cbdd0>._setCookie (Worker.py|434)
[7] [May 09 18:40:39] Freeing session <OpsiconfdSession(<opsiconfd.session.OpsiconfdSessionHandler object at 0x7f17a23c5b90>, name=u'OPSISID', sessionMaxInactiveInterval=120> (Worker.py|318)